Effective on: 31 July 2020
Introduction and Scope
VirTrial acts as an agent, also known as a data processor, for the Personal Data we process for our clients when providing our Services. This means that our clients determine the type of Personal Data they provide for us to process on their behalf. We typically have no direct relationship with the individuals whose Personal Data we receive from our clients. As an exception, VirTrial acts as a data controller for the Personal Data we collect through our website and for our Virtual Trial Certification and training services (for more about these services and how your Personal Data is collected or processed, please see below).
Basis of Processing
Within the scope of this Policy, we process Personal Data based on the instructions of our clients. All personal data is encrypted in transit and at rest.
How We Receive Personal Data
We may receive your Personal Data when:
- you provide it directly to us as part of using our Services;
- our clients (including their employees, contractors, and other representatives of the company, such as doctors and patient coordinators) provide it to us;
- you provide it directly to us via our website; or
- your caregiver provides it to us.
Categories of Personal Data
We may process the following types of Personal Data:
- biographical information, such as first and last name and date of birth;
- contact information, such as mobile phone number, email address, and postal code;
- answers to survey questions, which may include data related to health and medical conditions;
- content of written communication with clinical study coordinators, which may include data related to health and medical conditions;
- images and audio/video streams, which could contain any category of Personal Data; and;
- Categories of Personal Data specifically related to our Virtual Trial Capable services, as detailed below.
Purposes of Processing
We may process your Personal Data for the purpose of enabling the use of the Services. We are a Telemedicine service that provides a secure method of video, email, and text communication between clinical trial teams and patients. Personal Data can be used for conducting video visits, sending appointment, medication, and other reminders via SMS message, email, or our secure message functionality, as well as to generate compliance and other pertinent reports for review.
We retain Personal Data for as long as instructed by the respective client (who typically acts as a data controller). We delete the Personal Data submitted to us by our clients within six months of the end of our service agreement with the client, unless applicable laws require otherwise.
Sharing Personal Data with Third Parties
We may share Personal Data with our service providers, who process Personal Data on our behalf and who contractually agree to use the Personal Data only to assist us in providing our Services or as required by law. Our service providers may provide cloud-based web and application hosting and business and technical support.
Some of these third parties may be located outside of the United States. However, before transferring your Personal Data to these third parties, we will either ask for your explicit consent or require the third party to maintain at least the same level of privacy and security for your Personal Data that we do. We remain responsible for the protection of your Personal Data within the scope of our Privacy Shield certification that we transfer to third parties, except to the extent that we are not responsible for events that lead to any unauthorized or improper processing.
Also, some of these third parties may be located outside of the European Union or the European Economic Area. In some cases, the European Commission may not have determined that these countries’ data protection laws provide a level of protection equivalent to European Union law. We will only transfer your Personal Data to third parties in these countries when there are appropriate safeguards in place. These may include the European-Commission-approved standard contractual data protection clauses.
Other Disclosure of Your Personal Data
We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials or private parties). We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.
We reserve the right to use aggregated, anonymous data for any legal business purpose. Such data does not include any Personal Data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and clients.
If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.
We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date. Most of the cookies placed on your device through our Services are first-party cookies, since they are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our Services. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.
If you would prefer not to accept cookies, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all of our Services’ features. For more information, please visit https://www.aboutcookies.org/.
You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit https://allaboutdnt.com/. Please note that our Services do not have the capability to respond to “Do Not Track” signals received from web browsers.
Data Integrity & Security
We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect your Personal Data from unauthorized processing. This includes unauthorized access, disclosure, alteration, or destruction.
Notification of Breach
In the case of a Data Security Incident or Breach, the data controller will be notified. In addition, steps will be taken in response to the incident, including notification to affected individuals, the Secretary of U.S. Dept. of Health and Human Services, and the media per requirements.
VirTrial does not intend to collect Personal Data for minors (“minors” are individuals who have not reached the age of majority in their residential jurisdictions), without first obtaining consent from the minor’s parental or legal guardian in alignment with relevant legal requirements.
Access & Review
If we process your or your child’s Personal Data, you may have the right to request access to (or to update, correct, or delete) such Personal Data.
If we have received your Personal Data in reliance on the Privacy Shield, you may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent to our sharing your Personal Data with third parties. You may also have the right to opt out if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you originally authorized. Requests should be sent directly to the VirTrial client who provided your Personal Data to us. VirTrial has limited rights to access the Personal Data that our clients submit to us. Therefore, if you contact us with such a request, please provide the name of the VirTrial client who submitted your Personal Data to us. We will forward your request to that client, and provide any needed assistance as they respond to your request.
For Personal Data requests relating to Personal Data we collect on our website and for the purposes of the Virtual Trial Capable services, you can send requests directly to us or our Data Protection Officer, at the contact details set out further below.
Systems for which VirTrial is a Data Controller
VirTrial acts as a data controller, for the Personal Data we receive collected via our website as a part of our Virtual Trial Capable certification process. This information is added to our database and will only be used to contact you for business purposes. VirTrial may collect the following information via our website for this purpose:
- First name;
- Last name;
- Mobile phone (optional);
- Site name, address, phone number and therapeutic specialties.
Personal Data obtained from our website through our Virtual Trial Capable training may be shared with our contracted clients should they request a list of clinical trial sites which are capable of conducting virtual trials. This information is not sold, shared or distributed. Personal information obtained from our website via the Virtual Trial Capable training will be stored in our database for as long as there is a lawful basis under applicable law for us to process this Personal Data (whether for our legitimate interest business purposes, as required by applicable law or otherwise) unless you request it to be removed.
EU-U.S. and Swiss-U.S. Privacy Shield Frameworks
For Personal Data processed in the scope of this Policy, VirTrial complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework (the “Privacy Shield”), as adopted and set forth by the U.S. Department of Commerce regarding the processing of Personal Data transferred from the European Union, the European Economic Area, the United Kingdom, or Switzerland to the United States, or otherwise received in reliance on the Privacy Shield. We commit to adhere to the Privacy Shield Principles and have certified our adherence to the Department of Commerce.
Where a privacy complaint or dispute cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure, a United States-based alternative dispute resolution provider. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Privacy Shield Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
If your dispute or complaint can’t be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter into binding arbitration with you under the Privacy Shield’s “Recourse, Enforcement and Liability Principle” and Annex I of the Privacy Shield.
U.S. Regulatory Oversight
VirTrial is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
European Union Supervisory Authority Oversight
If you are a data subject whose Personal Data we process, you may also have the right to lodge a complaint with a data protection regulator in one or more of the European Union member states.
Changes to this Policy
This policy is reviewed on an annual basis, at a minimum. Therefore, changes may occur from time to time. If we make any material change to this Policy, we will post the revised Policy to https://virtrial.com/privacy-policy/. We will also update the “Effective” date. By continuing to use our Services after we post any of these changes, you accept the modified Policy.
If you have any questions about this Policy or our processing of your Personal Data, please write to us by email at firstname.lastname@example.org or by postal mail at:
Attn: Security Officer
7047 E Greenway Pkwy. Suite 190
Scottsdale, AZ 85282
Please allow up to four weeks for us to reply.
European Union Representative
We have appointed VeraSafe as our representative in the EU for data protection matters. While you may also contact us, VeraSafe can be contacted on matters related to the processing of Personal Data. To contact VeraSafe, please use this contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/ or via telephone at: +420 228 881 031.
Alternatively, VeraSafe can be contacted at:
VeraSafe Ireland Ltd
Unit 3D North Point House
North Point Business Park
New Mallow Road
Data Protection Officer
We have appointed VeraSafe as our Data Protection Officer (DPO). While you may
also contact us directly, VeraSafe can be contacted concerning our processing of Personal Data. VeraSafe’s contact details are:
22 Essex Way #8203
Essex, VT 05451 USA